Government Hard Drives and Security Risks – an Industry Q & A

With so many devices featuring hard drives, security vulnerabilities abound.

Office equipment like digital photocopiers contain hard drives which can be a potential target for data theft, especially if the machinery is resold after it’s been used. The equipment stores information from documents that have been scanned or copied.

In 2010 CBS News investigated how easy it would be to purchase a used copier with sensitive documents stored on the machine. One copier, sold out of a warehouse in New Jersey, contained information on the Buffalo, N.Y., Police Sex Crimes Division. The full report can be found here.

So should government agencies be worried about sensitive data being exposed via discarded office equipment ?

In an interview with Government Technology, Vince Jannelli, director of product management partners within Sharp Imaging and Information Company of America, said storage devices in government offices may pose security risks.

What types of equipment in government offices face security risks and other vulnerabilities?

I would say as a whole that any network device introduces vulnerability because it sits on the network and so it needs to behave like a good citizen. This is also true for any device that has storage. So you have laptops, computers as well as things like thumb drives, which many government entities disable. Also included in this list of devices would be digital copiers and multi-function printers.

Most of the devices that are out there today are digital because there’s a lot of benefits. I could do a lot of different things and that’s because of the use of storage in the hard drive.

What risks does equipment pose and what risks do users face?

First you would need to think of not only where the equipment sits on the network but what the device being used for. And so any network device could contain some confidential or protected information. Some devices by nature, their location and who uses them are more likely to expose confidential information. The first thing to do to mitigate risk is to think about how do you secure the data that is accessed at the device? One of the most important safeguards is to make sure the data is encrypted as it’s stored on the device. When I store something on my hard drive I encrypt it. If someone stole my laptop but didn’t have my password, then if they took the hard drive out of my laptop and then put it into another device so they could read it, they couldn’t; they’d have to decrypt it. And that requires a certain level of talent. If I didn’t encrypt it, then somebody could steal my laptop. If they couldn’t log in, all they would have to do is take out the hard drive and plug it into an external drive and dock it to their PC and they could access all the data on it.

Within state and local governments, how severe of a problem are digital copiers to potential threats?

It depends on the entity. It was in Buffalo, New York where a printer was resold and it had records of people that were processed. The printer was sold by the Police Sex Crimes Division and so the victim’s personal information was on there. So in that kind of a case, what you’d want to do when you have really protected information is to overwrite every time that you scan a job — what I would call a persistent security mode. And that means that after every job, I would overwrite the data so there was no latent image data left on the device. If I’m in a government agency where I’m not using or copying or printing or scanning confidential information that much, then what I’d want to make sure is that at the time that my lease — because a copier, for instance, is typically leased — is over, I had a system in place to overwrite the hard drive of the device. It’s a process that the local government entity could either purchase through a local provider or it could be a feature that’s enabled on the product. It depends on the generation of the product itself.

Are state and local governments following these procedures?

I know there are several states that have legislation in place and by in place, I should say “on the floor,” discussion. They are looking to legislate that public entities actually do this — put a process in place.
Would you say that following these processes is something government agencies should do to better protect themselves?

Yes, I think regardless of the legislation, if the device has a hard drive, the agency should look at proper disposal methods which would include regularly overwriting the hard drive or, at minimum, overwriting at the end of the lease before it’s disposed of. But I would bet that most agencies do have a process in place where hard drives are either removed and destroyed or they hire a third party to make sure that they’re overwritten so that no sensitive information leaves the entity.

In 2008, Sarah Rich graduated from California State University, Chico, where she majored in news-editorial journalism and minored in sociology. She wrote for for Government Technology magazine from 2010 through 2013.

DISCUSS

We invite you to discuss and comment on this article using social media.